(D103) Server Security
Policy
Only Information Technology or its designees may authorize the connection of a server to the SUNY Polytechnic Institute network. Servers shall be authorized only for those activities that directly support the education, research, public service or health care missions of the University. Server ports shall be limited to only those necessary to accomplish the functions being served.
- Definitions:
- Administrator: means any individual who operates or maintains a SUNY Polytechnic Institute server or network, including, if appropriate, data custodians.
- Authentication: means the process used to determine the identity of a user.
- Server: computer that shares resources (applications, files, etc.) with other computers (i.e., clients) on a network. Servers shall be given ‘static' (persistent) IP addresses.
- Access Control: Access to SUNY Polytechnic Institute servers and networks is tightly controlled to shield SUNY Polytechnic Institute systems from vulnerabilities. If an administrator is not a SUNY Polytechnic Institute employee (i.e. a consultant or student assistant), the Information Technology staff shall set up the access control systems including firewalls, reverse proxies and similar technologies.
Servers shall be located in a secured space with access strictly limited to only those individuals authorized to administer or maintain them.
Each administrator shall insure that:- only authorized users have access to the server;
- passwords for servers that use only User ID / Password authentication are changed on a periodic basis;
- administration of the server is local or through the use of an encrypted session;
- server access is limited through the use of control systems such as host-based firewalls or similar technologies;
- servers containing critical SUNY Polytechnic Institute records are backed-up on a routine basis to protect the integrity of data, with back-up media stored off-site.
Each administrator shall insure that access to information stored on servers under their direct control complies with the requirements of FERPA, HIPAA, the Gramm-Leach-Bliley Act and other applicable laws.
- Connecting Servers to the University Network: Before a new server may be connected to the SUNY Polytechnic Institute network, the following data shall be provided to the Information technology Department for review:
- Owner of record (department or project name)
- Contact information for responsible person (name, pager, emergency phone)
- Name of the administrator (sysadmin)
- Server location, building and room
- Server make, model
- Server purpose
- Operating System, vendor, version number and patches applied
- MAC address
- Requested server name
- Status of patches necessary to eliminate known vulnerabilities. If Information Technology approves the application, Telnet shall issue the server a static IP address.
No system will be connected to the campus network unless all vendor-supplied passwords have been changed from their default values.
- Server Maintenance:
- Administrators shall maintain and upgrade the operating system and applications for each server under their jurisdiction.
- Server software shall be upgraded when necessary.
- Administrators shall monitor software vendor announcements and other resources to determine the need to apply patches to software, and shall apply patches to operating systems and applications as often as practical. Critical patches shall be applied immediately on availability.
- Servers that contain vulnerabilities may be removed from the network until properly updated.
Information Technology may scan any server connected to the SUNY Polytechnic Institute network for known or suspected vulnerabilities at any time, without notice. - Disposal of Servers: Administrators shall remove all data, including all software from server hard disks before the server or its storage media is sent to Property Control, transferred to another unit, discarded or repurposed. Data removal must be done in such a manner that it cannot be recovered. If necessary, the Help Desk shall assist with purging a server of data and software.
Policy last reviewed August 2024